Hi Christian I don't understand why the kerberos authentication itself is really relevant to CXF for two reasons:
1) the kerberos security token profile described a mapping for the GSS API to let issue a kerberos ticket when it has been submitted to oasis: http://xml.coverpages.org/WS-Security-Kerberos200312.pdf Later this chapter has been removed and because it's out of scope how you obtain a ticket. You can use the JAAS Login Module for Kerberos to let issue the ticket and the kerberos token profile describes how to attach the ticket to a soap message. 2) The issuance of kerberos tickets happens between the client and the kdc only (which is not related to CXF). Only the spec PKDA (I think it's not final) enables kerberos to work without a KDC (but based on PKI). What is your use case for the kerberos usage? Thanks Oli ________________________________________ Von: Daniel Kulp [dk...@apache.org] Gesendet: Freitag, 22. Oktober 2010 03:51 An: dev@cxf.apache.org Cc: Christian Schneider Betreff: Re: Spnego / Kerberos Authentication On Thursday 21 October 2010 7:00:30 pm Christian Schneider wrote: > I just found that HTTPClient supports spnego authentication now (as of > 4.1 alpha 2). In fact I added an issue to support spnego/kerberos and > oleg reminded me that it is already implemented. Could this help us to > also support this authentication scheme? > As far as I know we do not use httpclient at the moment. I started a branch: http://svn.apache.org/repos/asf/cxf/branches/async-client/ where I started working on using the http-commons stuff for a complete async client side for http (haven't touched https yet). The goal for me so far was to get a more scalable async capability (less threads), but it may be usable for this usecase as well. That said, for the pure async capabilities, you have to drop down into the http-core stuff and not the higher layer http- client stuff. Thus, it might not be usable at all. I don't really know. Didn't get into the auth parts and such. I'd love help if you want to look at it. :-) > > I can image two ways to support Spnego/Kerberos. Either we use > httpclient and let it do the whole thing or we look how they do the > scheme and add it to the http transport ourselves. > Any opinions about this? We could also add some better hooks to allow a user (LGPL, we cannot ship it) to plug in http://spnego.sourceforge.net/api/index.html to create the HttpUrlConnection. > > Thanks > > Christian -- Daniel Kulp dk...@apache.org http://dankulp.com/blog
